Open gilesvessey opened 1 year ago
Any updates?
Any updates?
None from my end. I managed to get around this in a bit of a painful way - I used the sdk to sts.assumeRole() from the SSO based profile, then took the temporary credentials returned and wrote those to a new profile in ~/.aws/config.
If only there was a way for this to be handled automatically ;)
So I was actually able to work around this for now using aws2-wrap
(here).
This is the setup in ~/.aws/config
:
[profile sso]
sso_start_url = https://...
sso_region = us-east-1
sso_account_id = ...
sso_role_name = ... [sso role]
role_session_name = ...
[profile main]
source_profile = sso
role_arn = ... [a role the the SSO role has permissions to assume]
role_session_name = ...
[profile main-wrapped]
credential_process = aws2-wrap --process --profile main
Then, when working with my node app, I set AWS_PROFILE=main-wrapped
and AWS_SDK_LOAD_CONFIG=1
env vars.
The credential_process
thing is just a simple application that spews out the correct AWS credentials (access key ID, secret, and session token) after assuming the main
profile.
I just ran into this as well. From what I can gather, the current SSO code (v2.1330.0
) does not support using the source_profile
attribute to delegate SSO configuration to another profile.
Here is the relevant ~/.aws/config
:
[default]
sso_start_url = https://acme.awsapps.com/start
sso_region = us-east-1
sso_account_id = 987654321
sso_role_name = MyPrincipal
region = us-east-1
output = json
[profile sandbox]
role_arn = arn:aws:iam::123456789:role/MyRole
source_profile = default
In my testing I would be dropped into the following error block, as there are no sso_*
attributes defined on my sandbox
profile:
} else {
if (!profile.sso_start_url || !profile.sso_account_id || !profile.sso_region || !profile.sso_role_name) {
throw AWS.util.error(
new Error('Profile ' + this.profile + ' does not have valid SSO credentials. Required parameters "sso_account_id", "sso_region", ' +
'"sso_role_name", "sso_start_url". Reference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html'),
{ code: self.errorCode }
);
}
}
This does work with aws-cli
:
$ aws --profile sandbox sts get-caller-identity | jq -r '.UserId[0:6]'
AROAY7
Hi there,
Thank you for bringing this to our attention through your internal ticket. I have assigned it to our development queue.
All the best, Ran~
@RanVaknin any updates on this, OR a workaround that your team suggests?
Describe the bug
I have a somewhat complex IAM assume-role configuration that should work using the SDK and does work using the CLI.
Expected Behavior
THE ONLY AWS_ ENVIRONMENT VARIABLE SET IS AWS_SDK_LOAD_CONFIG=1
This works great:
Therefore, using the AWS SDK, the following should work as well:
Current Behavior
CLI OUTPUT (working):
SDK OUTPUT (issues):
Reproduction Steps
role_arn
set to the IAM role you want to use the SSO profile to assumeexport AWS_SDK_LOAD_CONFIG=1
Possible Solution
No response
Additional Information/Context
No response
SDK version used
2.1276.0
Environment details (OS name and version, etc.)
MacOS Catalina 10.15.6, AWS CLI 2.6.2, Node 16.17.1